Ask a Question related to ASP.NET Security, Design and Development.
-
Lauren Buchholz #1
ASP.NET process impresonation on IIS6
Hi, I have an application that was originally designed under IIS5.1 and
ASP.NET that used used a setting in the machine.config that would allow my
worker process to run under a different account. I know that the new worker
process isolation mode changes how this works, but I have been unable to get
my application to run as the account I would like while keeping IIS in
native mode. Anyone know how to do this?
More specifically, we need a .NET app to connect to a PKI based SSL web
service. The way we had it working in the past is that we would create a
limited security account, install the proper certificates in that account,
and then run the worker process as that account. Is there a better way to
do this now in windows 2003?
Lauren Buchholz Guest
-
CFFILE upload error - The process cannot access the filebecause it is being used by another process
I get this error intermitently when trying to upload a file. <cffile action='upload' ... To make sure there was nothing wrong with the file, i... -
#37998 [Asn->Fbk]: Parent process lost MySQLi connection after child process gone
ID: 37998 Updated by: tony2001@php.net Reported By: dbs at is dot ua -Status: Assigned +Status: ... -
Win32::Process, SetProcessAffinityMask for an existing process =perl crash
Hi! Was planning to use Win32::Process to set the ProcessAffinityMask of some processes but this lead to pure and simple crash of perl.exe. ... -
Win32::Process Kill Process in Windows ME
Hello, I want to kill a Process in Windows ME, which I have started. I have executed the following lines in XP and it works. I execute this in... -
Problem: Process.GetProcessesByName : Couldn't get process information from remote machine
As part of an ASP.NET application, I am creating an Excel spreadsheet using my .NET component. On my machine (win2K) I always get a... -
Ram Sunkara [msft] #2 Re: ASP.NET process impresonation on IIS6
If IIS is running in worker process isolation mode (IIS6 native mode in
Widnows.NET server2003) "processModel" account specified in the
machine.config file is ignored.
If you want to run your web application on a specific account, just simply
change the application pool identity to the account you wanted to run your
web application under. And make sure this is account is a member of local
IIS_WGP group.
You may want to review your application architecture if this is an internet
facing box as there are lots of security issues involved in running the
application pool on a privileged account.
"Lauren Buchholz" <buchhla@hotmail.com> wrote in message
news:O88RNxCjDHA.2516@TK2MSFTNGP09.phx.gbl...worker> Hi, I have an application that was originally designed under IIS5.1 and
> ASP.NET that used used a setting in the machine.config that would allow my
> worker process to run under a different account. I know that the newget> process isolation mode changes how this works, but I have been unable to> my application to run as the account I would like while keeping IIS in
> native mode. Anyone know how to do this?
>
> More specifically, we need a .NET app to connect to a PKI based SSL web
> service. The way we had it working in the past is that we would create a
> limited security account, install the proper certificates in that account,
> and then run the worker process as that account. Is there a better way to
> do this now in windows 2003?
>
>
Ram Sunkara [msft] Guest
-
Lauren #3 Re: ASP.NET process impresonation on IIS6
Thanks, I will give that a shot today. When I was playing
around tried all of this, minus the step of adding the
account to the IIS_WPG on the machine and was getting some
strange errors.
Regardsnative mode in>-----Original Message-----
>If IIS is running in worker process isolation mode (IIS6in the>Widnows.NET server2003) "processModel" account specifiedaccount, just simply>machine.config file is ignored.
>
>
>
>If you want to run your web application on a specificwanted to run your>change the application pool identity to the account youmember of local>web application under. And make sure this is account is athis is an internet>IIS_WGP group.
>
>
>
>You may want to review your application architecture ifin running the>facing box as there are lots of security issues involvedunder IIS5.1 and>application pool on a privileged account.
>
>
>
>"Lauren Buchholz" <buchhla@hotmail.com> wrote in message
>news:O88RNxCjDHA.2516@TK2MSFTNGP09.phx.gbl...>> Hi, I have an application that was originally designedthat would allow my>> ASP.NET that used used a setting in the machine.configknow that the new>> worker process to run under a different account. Ihave been unable to>worker>> process isolation mode changes how this works, but Ikeeping IIS in>get>> my application to run as the account I would like whilePKI based SSL web>> native mode. Anyone know how to do this?
>>
>> More specifically, we need a .NET app to connect to awe would create a>> service. The way we had it working in the past is thatcertificates in that account,>> limited security account, install the properthere a better way to>> and then run the worker process as that account. Is>>> do this now in windows 2003?
>>
>>
>
>.
>Lauren Guest
-
Lauren Buchholz #4 Re: ASP.NET process impresonation on IIS6
Is there a better way to have my asp.net account store the certificate that
it needs to access the web service I am trying to use? My original solution
although functional doesn't seem like it is optimal. I have tried using the
certificates MMC plugin to import the certificate, but the only service I
can see is the web server process itself, which I don't belive is the
correct service to store the personal certificate. Is the only way to have
ASP.NET contact a site via a personal certifcate to use an impersonated
account, or is there a more secure way to do this?
"Lauren" <buchhla@hotmail.com> wrote in message
news:2471b01c38ced$fe7abbe0$a601280a@phx.gbl...> Thanks, I will give that a shot today. When I was playing
> around tried all of this, minus the step of adding the
> account to the IIS_WPG on the machine and was getting some
> strange errors.
>
> Regards> native mode in> >-----Original Message-----
> >If IIS is running in worker process isolation mode (IIS6> in the> >Widnows.NET server2003) "processModel" account specified> account, just simply> >machine.config file is ignored.
> >
> >
> >
> >If you want to run your web application on a specific> wanted to run your> >change the application pool identity to the account you> member of local> >web application under. And make sure this is account is a> this is an internet> >IIS_WGP group.
> >
> >
> >
> >You may want to review your application architecture if> in running the> >facing box as there are lots of security issues involved> under IIS5.1 and> >application pool on a privileged account.
> >
> >
> >
> >"Lauren Buchholz" <buchhla@hotmail.com> wrote in message
> >news:O88RNxCjDHA.2516@TK2MSFTNGP09.phx.gbl...> >> Hi, I have an application that was originally designed> that would allow my> >> ASP.NET that used used a setting in the machine.config> know that the new> >> worker process to run under a different account. I> have been unable to> >worker> >> process isolation mode changes how this works, but I> keeping IIS in> >get> >> my application to run as the account I would like while> PKI based SSL web> >> native mode. Anyone know how to do this?
> >>
> >> More specifically, we need a .NET app to connect to a> we would create a> >> service. The way we had it working in the past is that> certificates in that account,> >> limited security account, install the proper> there a better way to> >> and then run the worker process as that account. Is> >> >> do this now in windows 2003?
> >>
> >>
> >
> >.
> >
Lauren Buchholz Guest
-
Ram Sunkara [msft] #5 Re: ASP.NET process impresonation on IIS6
Well the easiest way would be import the certificate in to the user store
under which you wanted to run your web application. From your web
application before calling the web service do a RevertToSelf to impersonate
ASP.NET thread security context (in this case the user context you wanted
ASP.NET to run under).
When your call is completed make sure the thread impersonate back the
current user.
Calling RevertToSelf involves InteropServices.
Ram-
"Lauren Buchholz" <buchhla@hotmail.com> wrote in message
news:%23SejKCQjDHA.3212@tk2msftngp13.phx.gbl...that> Is there a better way to have my asp.net account store the certificatesolution> it needs to access the web service I am trying to use? My originalthe> although functional doesn't seem like it is optimal. I have tried using> certificates MMC plugin to import the certificate, but the only service I
> can see is the web server process itself, which I don't belive is the
> correct service to store the personal certificate. Is the only way to have
> ASP.NET contact a site via a personal certifcate to use an impersonated
> account, or is there a more secure way to do this?
>
> "Lauren" <buchhla@hotmail.com> wrote in message
> news:2471b01c38ced$fe7abbe0$a601280a@phx.gbl...>> > Thanks, I will give that a shot today. When I was playing
> > around tried all of this, minus the step of adding the
> > account to the IIS_WPG on the machine and was getting some
> > strange errors.
> >
> > Regards> > native mode in> > >-----Original Message-----
> > >If IIS is running in worker process isolation mode (IIS6> > in the> > >Widnows.NET server2003) "processModel" account specified> > account, just simply> > >machine.config file is ignored.
> > >
> > >
> > >
> > >If you want to run your web application on a specific> > wanted to run your> > >change the application pool identity to the account you> > member of local> > >web application under. And make sure this is account is a> > this is an internet> > >IIS_WGP group.
> > >
> > >
> > >
> > >You may want to review your application architecture if> > in running the> > >facing box as there are lots of security issues involved> > under IIS5.1 and> > >application pool on a privileged account.
> > >
> > >
> > >
> > >"Lauren Buchholz" <buchhla@hotmail.com> wrote in message
> > >news:O88RNxCjDHA.2516@TK2MSFTNGP09.phx.gbl...
> > >> Hi, I have an application that was originally designed> > that would allow my> > >> ASP.NET that used used a setting in the machine.config> > know that the new> > >> worker process to run under a different account. I> > have been unable to> > >worker
> > >> process isolation mode changes how this works, but I> > keeping IIS in> > >get
> > >> my application to run as the account I would like while> > PKI based SSL web> > >> native mode. Anyone know how to do this?
> > >>
> > >> More specifically, we need a .NET app to connect to a> > we would create a> > >> service. The way we had it working in the past is that> > certificates in that account,> > >> limited security account, install the proper> > there a better way to> > >> and then run the worker process as that account. Is> > >> do this now in windows 2003?
> > >>
> > >>
> > >
> > >
> > >.
> > >
>
Ram Sunkara [msft] Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
